Agencies debate how much data is needed on HSPD-12 cards
- By Jason Miller
- Apr 24, 2006
Agencies are banding together to try to get the White House not to include the electronic National Agency Check indicator on the Homeland Security Presidential Directive-12 identification smart card. And while this seems to be a minor issue, it could wind up costing agencies a lot of money if they don't succeed.
'The cost versus the relative security is a wash,' said an agency official familiar with the inner workings of HSPD-12, who requested anonymity.
The Office of Management and Budget originally required agencies to go through the NAC process with more arduous written inquiries'which can take months, if not years'before issuing cards. But after agency complaints, OMB compromised and said in Federal Information Processing Standard-201 in February 2005 that agencies could issue interim cards if employees went through electronic background checks, which include being run through the FBI fingerprint and terrorist watch list databases. They still would need the full written inquiries but would have temporary, limited access.
But the revised FIPS-201-1, released in March, required'to the agencies' surprise and chagrin'that the identification card include the status of the written inquiry: complete or incomplete. Therefore the card would have to be updated when the written inquiry was complete.
'Very few people in government think putting the NACI indicator on the card is a good idea,' said Mike Butler, the Defense Department's chief of smart-card programs for the Common Access Card Office and chairman of the Interagency Smart Card Advisory Board. 'But it is written in FIPS-201-1, and we have to figure out how to get it changed.'
Some in government, however, believe the indicator on the card is important in helping agencies decide whether to give a visitor access. 'Without the indicator on the card, ... the minimum standard would be the fingerprint check. I'm not sure why this is such a big deal,' said a government official who requested anonymity.
The first official said it's a big deal because it would require agencies to create a large infrastructure to handle the re-issuing of all employees' cards when the written inquires are completed'which according to FIPS-201-1 must be done in six months.
Butler said the IAB is working with the National Institute of Standards and Technology to change the requirement or come up with a workaround.
Butler said one workaround that DOD is using is a back-end authentication database, called the Federation for Identity and Cross-Credentialing Systems.
He said the system would 'validate a chain of trust' between two agencies and indicate whether the NACI is complete.